DuNews SQL Injection

DuNews SQL Injection refers to a critical security vulnerability found DuNews SQL Injection refers to a critical security vulnerability found in the DuNews content management system (CMS). It allowed attackers to inject malicious SQL code into input fields, typically via URL parameters or forms.

The unvalidated input was directly processed by the backend database. This enabled unauthorized access to sensitive data (like user credentials, articles), data modification, or even complete database compromise.

It was a classic example of improper input sanitization. Patches were released to address this flaw, emphasizing the importance of secure coding practices like using prepared statements to prevent such attacks.

#Aria-Security Team Advisory
#<www.Aria-security.Com For English >
#<www.Aria-Security.net For Persian >
#Original Advisory:
#http://www.aria-security.com/forum/showthread.php?t=61
#-----------------------------------------------------------
#Software: DuNews
#Method: SQL Injection
#Vendor: http://www.duware.com/
#
#PoC:
#http://target/type.asp?iType=[SQL Injection]
#http://target/detail.asp?iNews=[SQL Injection]
#http://target/detail.asp?iType=[SQL Injection]
#http://target/detail.asp?action=[SQL Injection]
#
#Contact: This email address is being protected from spambots. You need JavaScript enabled to view it.